fix!(gotrue): change the default signOut scope to local from global #730
Conversation
|
What exactly does global mean and how does it work? Like multiple accounts authed on the same device vs just the current active one? |
| /// Determines which sessions should be logged out. | ||
| enum SignOutScope { | ||
| /// All sessions by this account will be signed out. | ||
| global, | ||
|
|
||
| /// Only this session will be signed out. | ||
| local, | ||
|
|
||
| /// All other sessions except the current one will be signed out. When using others, there is no [AuthChangeEvent.signedOut] event fired on the current session! | ||
| others, | ||
| } |
There was a problem hiding this comment.
@DanMossa
Good point. Currently it's hard for the developers to understand what the scope parameter does. I have updated the comment docs like this to improve the situation.
If I am signed in on my app from a desktop and my smart phone and I call signOut(SignOutScope.global) on my phone, I will also be signed out from the desktop.
With local, I would only be signed out from the phone, and the desktop session will remain active. I think local is the behavior that typically developers would expect.
There was a problem hiding this comment.
Oh! Yeah local definitely makes more sense then.
But I thought we use JWT tokens, so how would the Supabase goTrue server sign us out on other devices?
There was a problem hiding this comment.
@DanMossa
I think it works by revoking the refresh token, so technically the sessions on other devices will be active until the access token expires.
What kind of change does this PR introduce?
Currently when the developer calls
auth.signOut(), it signs out the user from every device. This PR changes the default value tolocal, which is probably more aligned with what a developer would expect to happen when callingauth.signOut().